[dns-operations] Inconsistent NSEC response for unsigned zone from AWS
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jun 22 03:52:39 UTC 2021
On Tue, Jun 22, 2021 at 03:30:39AM +0000, Matt Nordhoff wrote:
> > Indeed I see the same:
> >
> > $ dig +noall +dnssec +norecur +nocrypto +ans +auth +add -t NS corp.ibexglobal.com @ns-725.awsdns-26.net.
> > corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org.
> > corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk.
> > corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com.
> > corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net.
> > corp.ibexglobal.com. 86400 IN NSEC \000.corp.ibexglobal.com. RRSIG NSEC
> > corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400 20210623012420 20210621232420 36517 ibexglobal.com. [omitted]
> >
> > This violates <https://datatracker.ietf.org/doc/html/rfc4035#section-2.3>:
>
> I haven't spent the time to understand precisely what this thread is
> talking about, but that's how NSEC white/black lies work. NS1 does the
> same thing (give or take possible bugs) as AWS.
No, there's a subtle difference, this qname actually exists, and has an
NS RRSet. The NSEC bitmap needs to reflect this.
--
Viktor.
More information about the dns-operations
mailing list